Analysis
-
max time kernel
139s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2023 08:34
Static task
static1
Behavioral task
behavioral1
Sample
0097261726716.PDF.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
0097261726716.PDF.exe
Resource
win10v2004-20231023-en
General
-
Target
0097261726716.PDF.exe
-
Size
1.8MB
-
MD5
f536ccec11f1b6fb95137514ce0e1ed5
-
SHA1
7dfd07532e6d80d2bea61196fc8dbd9bd1e9414d
-
SHA256
ae5345f8b351ea82e6d74797baf379bc605c69e079cc5628ab486bf8d4b76b18
-
SHA512
e1f52d043d04db94059f78e42f13dcb09fccbdeded3279db88c1ca8f421fc12fb20ea959272352b51f074f71f31e6462e241cff795915c7cc4fa326b77ea9011
-
SSDEEP
49152:bee0SeGwcSGQPOvlzgzRlyYFT9xZdmPSw:blMGNQPywXFJQ
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3324-4-0x0000000004860000-0x0000000005860000-memory.dmp modiloader_stage2 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0097261726716.PDF.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vexbaedh = "C:\\Users\\Public\\Vexbaedh.url" 0097261726716.PDF.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2140 3324 WerFault.exe 0097261726716.PDF.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 33 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 35 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0097261726716.PDF.exepid process 3324 0097261726716.PDF.exe 3324 0097261726716.PDF.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
0097261726716.PDF.exedescription pid process target process PID 3324 wrote to memory of 816 3324 0097261726716.PDF.exe colorcpl.exe PID 3324 wrote to memory of 816 3324 0097261726716.PDF.exe colorcpl.exe PID 3324 wrote to memory of 816 3324 0097261726716.PDF.exe colorcpl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0097261726716.PDF.exe"C:\Users\Admin\AppData\Local\Temp\0097261726716.PDF.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe2⤵PID:816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 19122⤵
- Program crash
PID:2140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3324 -ip 33241⤵PID:3456